CVE-2020-10744

EUVD-2020-0020
An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9 as well as previous versions are affected and Ansible Tower 3.4.5, 3.5.6 and 3.6.4 as well as previous versions are affected.
Race Condition
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 MEDIUM
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
redhatCNA
5 MEDIUM
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Affected Products (NVD)
VendorProductVersion
redhatansible
2.7.0 ≤
𝑥
≤ 2.7.18
redhatansible
2.8.0 ≤
𝑥
≤ 2.8.12
redhatansible
2.9.0 ≤
𝑥
≤ 2.9.9
redhatansible_tower
3.4.0 ≤
𝑥
≤ 3.4.5
redhatansible_tower
3.5.0 ≤
𝑥
≤ 3.5.6
redhatansible_tower
3.6.0 ≤
𝑥
≤ 3.6.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ansible
bookworm
7.7.0+dfsg-3+deb12u1
fixed
bullseye
2.10.7+merged+base+2.10.17+dfsg-0+deb11u1
fixed
buster
not-affected
sid
10.5.0+dfsg-2
fixed
stretch
not-affected
trixie
10.5.0+dfsg-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ansible
bionic
Fixed 2.5.1+dfsg-1ubuntu0.1+esm1
released
eoan
ignored
focal
Fixed 2.9.6+dfsg-1ubuntu0.1~esm1
released
groovy
ignored
hirsute
ignored
impish
not-affected
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
needs-triage
xenial
Fixed 2.0.0.2-2ubuntu1.3+esm1
released
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10744
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10744